Cyber-security

Difference Engine: Swamped with data

LET it be agreed that something serious needs to be done to contain the mounting cost of cyber-crime. Though no-one knows for sure, corporate America is believed to lose anything from $100 billion to $1 trillion a year from online theft of proprietary information—trade secrets, research findings, internal costs, marketing plans, personal information, credit-card numbers, bank-account details and much more. In many instances, digital fingerprints implicate hackers in China, Russia and elsewhere. This is a serious issue that undermines American competitiveness, costs the country jobs, hurts exports, erodes companies' bottom lines and saps the nation's entrepreneurial vigour. Without question, something has to be done.

Let it also be agreed that cracking down on cyber-crime does not—and should not—require the population at large to surrender any constitutional rights. It is not beyond the wit of government sleuths to devise procedures for tracking online criminals without causing harm to the general public. That, surely, is the first commandment of law enforcement in any democracy.

Let it further be agreed that Americans are among the most fortunate of people. The wisdom of the country's founders has bequeathed them a set of inalienable rights that are the envy of the world. In particular, the ten constitutional amendments promulgated in 1791 and embodied in the Bill of Rights endow the common people with sovereign authority over their own freedom and well-being.

What, then, are American citizens to make of their government's latest attempt to fight online crime on their behalf? To say the Cyber Intelligence Sharing and Protection Act (CISPA), which the House of Representatives approved on April 26th by a 248-168 majority, is controversial is to put it mildly. The bill is essentially an amendment of the National Security Act of 1947, which contains no direct provisions for dealing with cyber-crime. CISPA's aim is to make it easier for the federal government and private companies to share data about online threats with one another.

At present, government information about such matters is classified. As such, it is illegal for government agencies to share what they know about online threats with the private sector. Meanwhile, companies are reluctant to share their own knowledge with one another and the government for fear of running foul of anti-trust rules. Were it to become law, CISPA would facilitate the exchange of information between the two.

At first glance, CISPA looks a good deal for companies confronting such threats on a daily basis. Unlike last year's Stop Online Piracy Act or the PROTECT IP Act—both of which died on the floor of Congress after being skewered by the private sector for violating free speech and raising the cost of doing business—CISPA has been widely backed by information-technology firms, including AT&T, Facebook, Microsoft, IBM, Intel, Oracle and Symantec. As Robert Holleyman of the Business Software Alliance notes, the act “unties the hands of companies on the front lines of the digital economy”.

Yet companies are deluding themselves if they think CISPA is there to help them. The act's congressional sponsors have little interest in the private sector's woes over online crime. Instead, CISPA treats cyber-security as strictly an intelligence operation against individuals, rather than an attempt to thwart crime against corporations. In the circumstances, the flow of information would be almost exclusively one way—from the private sector to the central government.

If CISPA were to become law, firms that collect lots of information on individuals (eg, internet service providers, phone companies, tech firms and online retailers) would quickly find themselves being coerced into helping the National Security Agency (NSA) and the Department of Homeland Security (DHS), among others, to ferret out members of the public with anti-social tendencies. Given CISPA's ability to exempt companies from prosecution, they would be pressed to hand over customers' e-mails, web-postings and even social-media musings without the latter's knowledge or consent, nor with any justifiable cause for believing them to be a danger to society.

Regrettably, such government pressure is not uncommon. From 1945 onwards, the NSA ran a clandestine telegram-interception programme called Operation Shamrock. This forced telegraph companies, foreign as well as domestic, to hand over copies of all the messages sent to and from the United States. Later, President Nixon, plagued by anti-Vietnam-war protests, had Operation Shamrock eavesdrop on American citizens as well.

More recently, the NSA sought, and received, billions of customer records from AT&T, Verizon and other phone companies. Only Qwest refused to comply. Verizon also turned over customer data to the Federal Bureau of Investigation without a court order. In 2008, after a whistle-blower at AT&T accused his employer of illegally opening its network to the NSA, the practice was retroactively legalised by Congress.

CISPA would go further still. If it became the law of the land, it would trump all existing federal and state laws concerning privacy, wire-tapping and surveillance. In so doing, it would allow the NSA, DHS and any other government eavesdroppers to spy on private individuals without having to face criminal charges, independent oversight or the need to obtain a warrant from a judge. (The British government likewise is planning to eavesdrop on all web traffic.)

Many Americans find such unrestricted collection of personal data an unwarranted intrusion by the government and more than a little scary. The First Amendment is supposed to protect citizens' freedom to say more or less whatever they like without fear of retribution. The Fourth Amendment protects them from unreasonable search and seizure. CISPA would ride roughshod over both. And, in the process, it would do little to help solve the problem of corporate cyber-crime.

It is not as though it would do much for national security, either. Today, the NSA is swamped with data on American citizens. William Binney, who served with the agency for 30 years and was once director of its World Geopolitical and Military Analysis Reporting Group, reckons the NSA has already collected some 20 trillion “transactions” (ie, telephone calls, e-mail messages and other forms of personal data) from American citizens without their knowledge. That is over 60,000 items of information for every man, woman and child in the country.

The data are collected mainly by NaruInsight monitoring devices, which analyse traffic at choke points on the internet. The equipment, made by Narus, a subsidiary of Boeing based in Sunnyvale, California, is alleged to have been used by AT&T to collect customer data on behalf of the NSA. The company's latest technology, codenamed Hone, uses artificial intelligence to identify the voice-prints and photographs of individuals that fit a particular target profile, and then identifies them with specific phone numbers.

Meanwhile, the NSA has had to build a huge storage facility in Bluffdale, Utah, to handle the enormous spillover from its data-processing centres in San Francisco and elsewhere around the country. The additional flood of data from CISPA would bring Bluffdale and the NSA's other centres to their knees.

According to IDC's Digital Universe Study, some 1.8 sextillion (1021) bytes of data were added to the world's memory banks last year, about a third of which passed through American networks. Not even companies that specialise in “big data”, let alone government agencies, could hope to analyse such an inundation.

The task of analysing the world's data to identify potential cyber-threats “has gone from difficult to impossible,” concludes “Future Tense”, a study by Arizona State University, the New America Foundation and Slate, an online magazine. “This shift completely redefines the cyber-security problem,” noted John Villasenor, a professor of electrical engineering who is also a fellow of the Brookings Institution, an American think tank, in a posting on Slate last week. “The idea underpinning CISPA—that the government should sit at the centre of the cyber-security universe, collecting all the information about cyber-threats, analysing it and dispensing solutions—will no longer work.” There are just too many data points today.

The answer, surely, is to focus on specific domains where the amount of data has remained more manageable—like the electricity grid, the financial system, and the mobile-phone networks. The government has a vital role to play in securing such critical infrastructure. This much was at least recognised by the Cybersecurity Act of 2012, the Senate's alternative to CISPA. The Senate bill aims more realistically to enhance merely the reliability and resilience of America's computer and communications networks.

As the “Future Tense” study concludes, the days when the government could act effectively as the cyber-security czar for all of digital America are gone. With or without legislation, those days are not coming back. The proper cyber-security strategy is one that is both agile and distributed—just like many of the threats it will need to counter.

CISPA reminds me of an overarching objective to remove "Chinese Walls" between all the facilitators of those who hold personal information on individuals. How exactly that could be achieved with efficiency in combating cyber threats must remain very unclear and one would expect Congress (and others looking on with interest such as Britain given its desire to implement a snooping bill) to consider the costs involved in running what surely would amount to a very extensive and complex operation.

Realistically, the Cybersecurity Act of 2012 is more pragmatic and rational in its approach. Segmentation at least helps providers to better identify and act upon where those threats have originated from.

It always find ironic that some of the biggest promoters of 'small government' who makes all kind of empty BS rhetoric about 'freedom' and 'liberty' are only to have to constantly vote 'Yes' as they did today in the House that dramatically expand the ability and authority of the US gov't to monitor its citizens.
Looked quickly at a dozen of the Tea Party members who came in with the House class of 2010 and only 2 voted against it. Typical. Tea Party pukes who say they support libertarian ideas but voted this week to not cut a single dollar from the defense budget and voted 'yes' for yet another bill which massively expands govt-monitoring authority. Bloated defense spending, endless war, and massive gov't oversight over its citizens. Sure doesn't sound very libertarian to me and more like how a fascist would think.

The comments are missing the most salient point, which is that we need to be very mindful and proceed down a path that does not sacrifice privacy for the illusion of security. We need to focus on our behavior and develop technology that protects privacy (both for our institutions and for each of us as individuals) so that we can have more robust and genuine security.

The way to think about this is to think about herd immunity as an epedimiologist would. From an epedimiological perspective, each individual is protected and so the herd becomes more secure. Mass surveillance is not the answer, in fact it becomes a force multiplier to the problem because it just exposes even more information.

We need to focus on hardening the weak points (end point and mind point devices) and eliminating the security holes by developing new architecture, and coupling that with informed behavior, rather than leaving a gaping hole through which the vast majority of information and communication can be monitored and surveilled. Because you can count on the fact that if the NSA knows, so does every other sophisticated nation and criminal organization.

Privacy and security are intertwined, with more privacy comes more security.

I found this post to be written with an excess of enthusiasm. For example, other countries have Constitutions that proclaim rights. We studied the USSR's when I was a kid and it was a model of rights. It isn't what is written down but what the society does that counts.

Like another commenter, I was struck by the absurdity of the numbers. A trillion dollars. You mean the losses to US companies are more than half the GDP India or 3/4 the GDP of Russia or nearly half the GDP of Britain?

Then there are references to bringing data centers to their knees when what is meant is that data won't be analyzed. Do we actually analyze what we get now? I doubt it. To what degree do we analyze? No one knows so no one knows if this material will be piled up, ignored or probed for something useful. With digital data, it's not the volume but the tools used to dig into it. We don't have to lift this stuff by hand. So for example, let's say they have data and they want to pursue that further. The availability of more data may mean they can get somewhere useful in identifying actual threats. They don't otherwise need to analyze every freaking thing.

I am very skeptical of the doomsday assertion of enormous costs to businesses and individuals caused by cybercrime. There is no reliable measure of this. The numbers used to illustrate this are so far apart -- 100 billion to 1 trillion this Economist article states -- that this by itself shows we have no idea and just guess, throwing numbers around. In turn, these reckless, inflated and unsupported claims are used by powerful interests to justify totally demolishing our privacy and our constitutional protections. CISPA is another blow to the supposed constitutional guarantees we have in the USA and another victory for military-intelligence-business establishment that sees us more and more as totally subservient entities devoid of rights to be milked for profit, information and power.

These outlandish claims of business losses due to online piracy probably include the presumptive losses of sales of CD's and DVD's--as if all the world's media thieves were to actually pay retail prices for the music and movies they "share" so freely. These numbers are being used to create the public justification for destroying American's privacy to protect business profits.

The real reason for these draconian laws--that so blatantly violate our Constitutional rights--is the insatiable desire of NSA, CIA, FBI, Federal, State, County, and Local civil servants to listen to all our conversations, record all our online activities, capture all our financial transactions, and track all our physical movements without any bothersome warrants or supervision.

Massive data mining by US government agencies has been a reality for quite some time, enabled by required hooks into the telecom network and legal immunity for the companies who provide this access. You thought this only occurs in China? Big Brother is watching you, America.

This just thelatest, of many examples (a huge number originating in th United States, sad to say) of the words of Benjamin Franklin ... a man who know a thing ot two ...
Those who would give up essential liberty to purchase a little

I'm wondering if the author has read the bill because this: "If CISPA were to become law, firms that collect lots of information on individuals would quickly find themselves being coerced into helping the National Security Agency." Is expressly forbidden in the bill. This argument is a joke.

The enemies, whoever they are, can flood NSA with zillions of garbage bytes - e.g. meaningless but strongly encrypted messages - to keep it busy and overworked at a faster pace than NSA would make sense of it.

"Sure doesn't sound very libertarian to me and more like how a fascist would think."

That is because the Tea Party is at heart, a Fascist movement!

Fascism, as I'm sure many readers will know, was defined by George Orwell as the politics of the bully. What he actually wrote was this: "Except for the relatively small number of Fascist sympathizers, almost any English person would accept ‘bully’ as a synonym for ‘Fascist’. That is about as near to a definition as this much-abused word has come."

And the essence of bullying is to collapse your empathy for the bullied. If you do have empathy for the bullied you'll be disarmed as a bully. The same applies to Fascism. Hitler succeeded in collapsing his followers empathy for a particular human tribe - the Jews. As a result he succeeded in establishing a particularly egregious form of Fascism in his country.

By contrast 'St' Paul made Christianity into the exact opposite - an empathy bomb intended to destroy Roman Fascism, which oppressed his country (he was a Roman Citizen but born a Jew). This is what the exhortations to 'love thine enemies', 'do good to those who would do evil unto you', and 'turn the other cheek' would encourage, if people genuinely adhered to them. How could you be a Fascist if you empathised like that with your victims?

Arguably you shouldn't call yourself a Christian if you don't but who - really - does this? Well, the tea-partyist would say they were Christian -indeed fundamental Christianity, with its very un-Christian attitudes towards non-fundamentalists, seems to be bound up in what passes for their philosophy (maybe that's a word with too many letters for what they believe in).

Well, the Christians have the saying that ‘by their fruits shall ye know them’..

Apparently, on the day that the Obamacare bill was passed, a bunch of tea-partyists in Philadelphia came across a man begging in the street. He had Parkinson’s disease, no healthcare and no money. Far from showing anything remotely like the Christian charity Americans claim to be proud of, these tea-partyists proceeded to abuse this beggar, at first verbally, advising him that he ‘was in the wrong part of town’ for this sort of thing, then they started kicking him. Eventually someone stepped in, claiming to ‘buy this man’ and showered one dollar bills all over him. It was not exactly a charitable gesture but at least they stopped there, maybe interrupted because someone recorded the whole thing on their camera-phone and the footage went up on a website. ‘By their fruits shall ye know them’, indeed!

I too would be interested in a more rigorous analysis of estimates of damage incurred by cyber crime. My understanding is that given the nature of how poor the sample is, models tend to fluctuate wildly.

The problem of cyber crime arises primarily from the fundamental shortcomings of TCP/IP network, therefore only an entirely new generation of network architecture, completely independent and incompatible from the Internet, could eradicate it.
Call it Biznet or Commercenet or whatever, but only a fully encrypted and real-ID network backed up by biometric registry could wipe out cyber crimes.

First off I would take the Canadian Charter of Rights and Freedoms over the US constitution any day. To start an argument with the throw-away idea that people would prefer freedom to possess a gun then give equal rights to people regardless of their sexual preference is ludicrous.
But ignoring that, I am curious as to what the net costs to society are when corporate espionage leads to corporations losing $100b - $1t. Presumably this is proprietary information that leads to not just asymmetrical information to the detriment of the consumer but also leads to some monopolistic pressures. I wonder if the people who steal this information and use it to produce imitation products in developing nations might be doing some good. Don't get my wrong, I understand that proprietary information, and patents are necessary to promote research into new products but somehow I doubt the net cost to society is as high as it is to the victim corporations.

Yes, a fully encrypted, trusted root system would go a long way to fixing the problem, but privacy and anonymity are paramount in order for it to be truly secure. If criminals (state sponsored or independent) don't know which device is responsible or connected to which service or to which other device, it makes their whole cyber operation useless. So it is only when privacy and anonymity combine with encryption that we get a secure and robust enviroment in which we can communicate and transact safely away from all prying eyes and malicious actors.